Identity management is one of the growing security concerns in enterprise IT services. According to Information Security Breaches Survey 2004 [SecurityBreach2004], security breaches due to identity management flaws are increasing. Confidentiality breaches can cause disruption to business services and may result in large financial losses, with 15 percent of cases costing £100,000 (Great British Pound, which is about US $250,000) in legal fees, investigation costs, and fines. They usually take at least 10 to 20 man-days to resolve. From the survey findings, 80 percent of the security attacks are from external sources. Identity is the key to unlocking access to business services, applications, and resources. It is extremely important to secure the identity by authenticating the user prior to that user accessing any resources within the enterprise. In addition, identity is a major piece of information security management that is addressed by compliance and regulatory requirements (such as Sarbanes-Oxley in the United States). It is a strategic area in the management of security risks that threaten mission-critical business applications.

This chapter will discuss the identity management technologies for single sign-on and policy management using standards such as SAML, Liberty, and XACML. It will also discuss their logical architecture.

Identity Management–Core Issues

As portals and Web-based applications proliferate, consumers tend to create new user accounts in different Web sites. Different online portals and Web sites have different security policies for creating user accounts and managing user passwords. Very often, consumers have to maintain a number of “digital” user identities (user account names and passwords). There are also information aggregators that extract user information from various Web sites and sell them to large corporations for database marketing. These digital user identities are often open to abuse or identity theft. Since these digital identities are managed by individual Web sites, and the security protection capability of individual Web sites varies, consumers have no control over the protection of their user identity and their privacy if these Web sites are attacked. According to the previously mentioned Information Security Breaches Survey 2004 [SecurityBreach2004], identity theft is becoming a major concern for consumers. Consumers want to be assured that their digital identity is reliable and secure so that they can shop securely online. This is fairly challenging, even with a robust and reliable identity management system.

Business corporations have different and complicated identity-related issues. Many of these organizations have customized user authentication and authorization mechanisms for their legacy systems, which may not share the same security implementation (such as authentication mechanisms and PKI operations) or infrastructure (such as authentication server, policy, and directory). Thus, users are often required to have individual user accounts and passwords for each application system. As the number of applications and systems grow, there is a need for using a single user identity for authentication and authorization across multiple systems and infrastructures. This can provide flexibility in collaborating with different business functions. However, achieving a single sign-on to multiple systems and infrastructures requires considerable security integration and interoperability. Areas involved include how to manage keys and certificates, and how to enable legacy systems to share the common user authentication mechanism or security provider infrastructure for authentication.

Another challenge is dealing with user identity for Business-to-Business (B2B) applications such as B2B workflow and supply chain applications. Users often require different user identities to sign on to each system hosted by the participating trading partners. Managing different user accounts and passwords among the trading partners adds complexity, particularly when any user password change needs to be synchronized in each system. Trading partners need to agree how to provision a new user account in each system that has its own security requirements. There are also integration issues if the trading partners want to adopt and implement a common user authentication and authorization infrastructure to streamline collaboration. Agreeing on a common user authentication mechanism among different security infrastructure and application systems is not trivial. If any of the vendor products or underlying technologies change (for example, by a product upgrade), all user authentication interfaces need to be retested again or the business-to-business workflow may have security related issues.

Compliance with United States federal regulations such as the Sarbanes-Oxley Act, HIPAA, and the Patriot Act also pose another challenge for identity management. Business corporations have to provide a reliable and thorough auditing capability to detect and manage any unusual or suspicious changes in user accounts or profiles. Building such capability is not trivial. This will require a sophisticated identity management infrastructure that can detect and manage any potential security vulnerabilities and threats, including identity spoofing and identity theft.

The security vulnerabilities and threats related to user identities are likely to impact more than one single application system, because user identities are used and processed across multiple systems, whether local or distributed. As discussed in Chapter 1, the following security vulnerabilities and threats will also apply to managing user identities:

Denial of Service attacks on security infrastructures that handle user authentication and authorization

It is crucial for security architects and developers to understand the security issues that are related to managing user identities. The following sections introduce the concept of identity management, the associated industry standards, and their logical architecture. They also discuss how these standards and standards-based technologies can help address the challenges of managing user identities.